CARP & IPSec VPN failover

  • I currently have 4 PFsense Firewalls, and 6 Static Address. Three addresses for my Office and three for my Datacenter, each have two of the PFsense firewalls. Currently CARP works in the sense that it syncs rules and information without error and if the master goes down the backup takes over, and when the old master is brought back up the new master (the backup firewall) gives up its temp role of master and returns to a backup role. However when this happens the IPSec VPN tunnels are no longer accessible. The VPN Tunnels are using the VIP for the office and its connecting to the VIP and the datacenter. Though wen the master firewall goes down the tunnels go down also, the logs show that the tunnels are still up, I get a check arrow saying that they are passing traffic, while I can’t access any network resource on the other end.

    When the original master comes back up and is returned to master the tunnels also comeback up. It’s just when the backup is the master the VPN tunnels don’t function. I made sure that the IPSec Tunnels information is being synced and it is. At this point I’m not sure what else to do, I have read through just about all of the documents on PFsense and still have no luck. I’m also not sure what other information is needed to explain this issue. Any help would be very nice, as of right now I’m running out of ideas.

    Thank you for any of your help or comments.

  • I've got CARP on a cluster hosting six IPSec tunnels and it works fine when the master is down. Had this on 1.2.3 and recently upgraded to 2.0RC. Check the usual suspects- Tunnel interface is the CARP interface, Identifier is using correct IP, states are sync'd on both, master has sync for rules, vips, ipsec to backup.

  • I checked before, but just in case i checked again.

    Tunnel interface is the CARP interface - its the VIP for the cap on both ends yes. example office VIP is set for the office side of the tunnel, and then same on the other end.

    states are sync'd on both - checked this and its correct, only one master othre is backup. when master fails it switches over. everything but the VPN Tunnels come back up.

    master has sync for rules - checked this and its correct.

    vips - checked this and its correct.

    ipsec to backup  - checked this and its correct, rules and newly created tunnels sync over.

    Identifier is using correct IP - its set to "My IP Address" i wasn't sure if this should be the VIP or not. as its only identify one of the ends. i would image that if the ID no longer matched that the tunnel would just renegotiate.

    Also for what ever reason DPD is left black and life time is also blank. just to give you all the information you might need the Tunnel mode is also set to Aggressive.
    The IT company who configured this equipment left no information or documentation on what they were doing. I am very new to PFsense if you cant tell.

    thank you for your help dotdash,

  • Sorry for the delay in reply, I've been travelling.
    Try setting the identifier to 'IP Address' and input the CARP address. This is how I have my tunnels configured. I would think 'My IP address' would pull the interface IP, in this case the CARP interface, but I like to set it to the CARP IP explicitly.

  • hey, no problem, the fact your helping is amazing so again thank you.

    i will try  this, we are only allowed to make changes of Tuesday nights, so i will try to  slide this in for this weeks testing.

    you know that makes sense, you have to have an identifier at each of the end of the tunnel. if it was the direct interface and not the CARP then when fail over occurred the tunnel would have been built with the wrong address (since it was built by the master with one IP which is no longer valid as its down).

Log in to reply